HP's collection of security services includes five support options and is the first set of services of its kind offered on the Linux operating system, said Erik Lillestolen, the government program manager for open source and Linux at HP.

The support options include long-term support; MLS application on-site training; MLS application design, implementation and validation; MLS support and a two-tiered standard-level support pack, Lillestolen said. MLS is designed for customers managing top-secret information, such as government and military agencies, he said.

[JBoss] being certified means users won't have to be security gurus every time they install it. Morris Segal,systems architectthe Department of Homeland Security

"An enterprise [Red Hat] customer could implement MLS," said Lillestolen, "however, as a whole they probably would not have a large need for it. Customers in the enterprise sector would probably be best served with single-layer security."

HP also sells and supports hardware running Novell Inc.'s SUSE Enterprise Linux but doesn't offer the same MLS services for the OS because Novell has not undergone Common Criteria certification for the same level of security as RHEL 5, Lillestolen said.

Common Criteria is an internationally approved set of security standards used by governments and businesses worldwide that rates the features of computer systems with seven evaluation assurance levels (EAL). These levels are obtained through an extensive testing and certification process. Both Red Hat and Novell have acquired EAL 4-plus on a variety of hardware offerings from IBM, HP, Unisys and more for their respective Linux operating systems.

HP has achieved Common Criteria certification at Evaluation Assurance Level 4 (EAL4) with the Labeled Security Protection Profile (LSPP). RHEL 5 also achieved LSPP via SELinux, which is an implementation of mandatory access control using Linux Security Module (LSM) in the kernel that was originally developed by the National Security Agency (NSA). SELinux ships with RHEL 5 and is turned on by default.

Many U.S. and European government agencies and other high-level security organizations, including the U.S. Department of Homeland Security (DHS), use Common Criteria certification as a determining factor in making IT purchasing decisions. Morris Segal, a systems architect at DHS, said that the criteria has its limits, though.

"A brick would make EAL 7 as long as there wasn't anything written on it," he said. "The more secure something is, the less functional it is."

Segal said users are probably best served when they use an operating system, application or software suite that has a rating of at least an EAL 3 or EAL 4. With that knowledge in hand, most customers can be assured that the software they buy has been properly vetted by an independent international organization and does not require additional testing on their part, he said.

"Most of us in this business have a different focus than doing security checks. [JBoss] being certified means users won't have to be security gurus every time they install it," he said.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.